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Abstract 



A proactive threshold secret sharing cryptosystem using a set of servers. The cryptosystem is a threshold 
cryptosystem, in the sense that service is maintained if at least (k + 1) out of n servers are active and 
honest. The secret signature key is compromised only if the adversary breaks into at least (k + 1) servers. It 
is robust in the sense that the honest servers detect faulty ones and the service is not disrupted. It is 
recoverable, because if the adversary erases all the local information on the server it compromised, the 
information can be restored as soon as the server comes back to performing the correct protocol. The 
method and system has proactiveness, which means that in order to learn the secret, the adversary has to 
break into (k + 1) servers during the same round of the algorithm because the shares of the secret are 
periodically redistributed and rerandomized. The present invention uses a verifiable secret sharing 
mechanism to get the security requirements during the update between two rounds. The security of the 
scheme depends on the assumption of intractability of computing logarithms in a field of a big prime order 



and the EIGamal signature scheme. 
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(54) Method and system for a public key cryptosystem having proactive, robust, and recoverable 
distributed threshold secret sharing 

(57) A proactive threshold secret sharing cryptosys- 
tem using a set of servers. The cryptosystem is a 
threshold cryptosystem, in the sense that service is 
maintained if at least Qs + 1) out of q servers are active 
and honest. The secret signature key is compromised 
only if the adversary breaks into at least (k + 1 ) servers. 
It is robust in the sense that the honest servers detect 
faulty ones and the service is not disrupted. It is recov- 
erable, because if the adversary erases all the local 
information on the server it compromised, the informa- 
tion can be restored as soon as the server comes back 
to performing the correct protocol. The method and sys- 
tem has proactiveness, which means that in order to 
learn the secret, the adversary has to break into (k + 1) 
servers during the same round of the algorithm because 
the shares of the secret are periodically redistributed 
and rerandomized. The present invention uses a verifia- 
ble secret sharing mechanism to get the security 
requirements during the update between two rounds. 
The security of the scheme depends on the assumption 
of intractability of computing logarithms in a field of a big 
prime order and the EIGamal signature scheme. 
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Description 

TECHNICAL FIELD OF THE INVENTION 

5 The present invention relates to data processing systems and more particularly to data processing systems includ- 

ing cryptographic mechanisms for information security. 

BACKGROUND OF THE INVENTION 

io Public key encryption systems are used to send and receive encrypted messages. Public key encryption systems 
are those in which a message is encrypted by performing a mathematical algorithm using a publicly available value, 
called the public key. Then, the recipient decrypts the message by performing an algorithm using a private value, called 
the private key. Public key encryption depends on choosing an encryption algorithm, E, and a decryption algorithm, D, 
such that deriving D, even given a complete description of E, would be effectively impossible. The three requirements 

15 of public key encryption are: 

1. D(E(P)) = P , wherein P is the message; 

2. It is exceedingly difficult to deduce D from E; and 

20 

3. E cannot be broken by attacking P. 

Thus, the public key can be distributed freely. The private key, however, must be kept private by the entity that uses 
it. If an intruder accesses the memory content of the entity, the system security is broken. This holds true for all the orig- 
25 inal public key patents. In Key escrow systems and Micali's fair cryptosystems, the private key is split into many portions 
and each portion is held by a different entity. However, if with passing time an intruder is able to read each entity's mem- 
ory, system security is broken. 

Proactive Secret Sharing 

30 

To explain the concept of proactive secret sharing, the terminology of secret sharing schemes and their security 
characteristics must be explained. 

Threshold, Robustness and Recoverabiiity in Secret Sharing 

35 

Secret sharing was first introduced by G.R. BlaWey, Safeguarding Cryptographic Keys, AFIPS Con. Proc. (v. 48), 
1979, pp. 313-317 and A. Shamir, How to Share a Secret, Commun. ACM, 22, 1979. pp. 612-613, which are both 
hereby incorporated by reference. In its most basic form, secret sharing is a way to divide a secret piece of information 
M among n participants, called share holders, so that together they will be able to reconstruct it. However, no group of 
40 (a - 1 ) share holders can learn anything about M This mechanism is used to increase security whenever there is a need 
to safeguard a piece of information. The increase in security corresponds to being able to guard the secret from an 
adversary who can break into some servers, but not all of them. 
Every secret sharing scheme has these conceptual phases: 

45 (1 ) a dealing phase, when a dealer who knows the secret creates its shares and distributes them among the share 
holders; 

(2) a storage phase, when the shares are maintained by the share holders; and 
so (3) a reconstruction phase, when the share holders reconstruct the secret from their shares. 

The basic secret sharing described above is not very practical because if an adversary compromises a share 
holder and erases or modifies the secret share held by that holder, the secret M can never be reconstructed. Hence, 
the above scheme is secure against an adversary who can break into (n - 1) servers and learn their shares, but cannot 
55 erase or modify servers' memories or storage, cannot cause any server to crash and does not interfere either with the 
dealing of the shares or with the reconstruction of the secret 

Before the properties of secret sharing that make the basic scheme more secure, are defined or the different types 
of adversary's attacks on servers must be defined: 
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A server is compromised to the adversary H she breaks into it and learns all the secret information stored at this 
server: its secret share and keys used for communication. 

The adversary freezes a server if she causes it to stop working. It is assumed, however, that as soon as the adver- 
sary is purged, the server can return to performing the correct protocol (le^, no data is lost). Cutting the server's 
access to the network is an example of freezing a server. Shutting off the power or killing all the processes on the 
server also constitute freezing, if all the necessary data (variables and the algorithm code) is not erased or modi- 
fied. A frozen server does not send or receive any messages; it is idle until human intervention brings it up again. 

The adversary controls a server if she can change the protocol it performs and cause it to send messages that are 
incorrect with respect to the original protocol. From the other server's point of view, such a server is cheating or dis- 
honest . Freezing is a trivial case of controlling. 

The adversary disables a server when she manages to erase or modify the secret data that the server stores. Eras- 
ing the protocol code or erasing public keys of other servers makes it harder for the system management to bring 
this server back to life, but since this information is public, it can be reinstalled into the server without exposing any 
secret information to the system operators. H is the destruction of server's secret share that makes a qualitative dif- 
ference between freezing and disabling. 

The desirable properties of secret sharing schemes, which offer security against the above types of adversaries, 
are described below. The concern is with security during the storage and reconstruction phases while leaving the deal- 
ing phase as insecure as in the basic secret-sharing scheme described above. This concern can be contrasted with ver- 
ifiable secret sharing schemes, which aim at increasing security during the dealing phase. 

A secret sharing scheme is called a threshold scheme if only (is + 1) out of n servers need to cooperate to recon- 
struct the secret. This property makes the system secure against attackers who: 

During the reconstruction phase freeze or disable up to k out of n servers. During the storage phase, the adversary 
can freeze more servers, and the threshold scheme will still be secure, provided that these servers are brought up 
before the reconstruction phase starts. 

During the lifetime of the algorithm compromise k out of n servers. Compromising (k + 1) out of n servers allows 
the adversary to reconstruct the secret by herself. 

The above two requirements can be met only if the threshold Is is a strict minority. Lfi^ when 2js + 1 s Q . 

A secret sharing scheme is called robust if the reconstruction phase is secure in the presence of up to k cheating 
servers. The threshold scheme by itself relies on the fact that when the attacker can disable or freeze, but cannot control 
the compromised servers, then there is no problem in picking the group of (k + 1) non-faulty servers to reconstruct the 
secret, because faulty means non-active. In short, robustness makes the threshold scheme secure against adversaries 
who during the reconstruction phase can disable or control no more than k servers in total. 

A threshold secret sharing scheme is recoverable if the proper secret share can be restored to the server that lost 
it This scheme assumes that a loss can happen during the storage phase only. Thus, the recovery mechanism will be 
carried out during the storage phase. The property of recovery in secret sharing is the object of the present invention. 
It makes the robust threshold scheme secure against adversaries who can disable or control no more than Jc out of q 
servers at any time during the storage phase. Whenever the system notices that some servers are disabled, the recov- 
ery phase starts and it will be successful assuming that it is so short that the adversary will not jump other servers dur- 
ing this phase. 

Recovery is needed whenever the secret share is lost But that can happen with or without the adversary learning 
this secret share. The share might be lost because an adversary with compromising and disabling capabilities broke 
into a server, learned its secret share and erased or modified it But the share might be lost due to a power outage. One 
could argue that in the first case, the secret could just as well be restored publicly since the adversary knows it anyway. 
However, there might be more than one adversary, in which case, public recovery of a share spares the other adversar- 
ies some work. Also, since a mechanism to deal with the case of disability due to the power outage exists, it can be 
used in the case when one of the adversaries knows the secret. It is hard to know which case the security scheme is 
dealing with, so it is better to use one secure recovery mechanism whenever a secret share is lost 

Secret Recovery and Server Authentication 

If the adversary has capability of erasing or modifying the local storage and memory of the compromised server, 
and she can also inject messages to the communication channels between the servers, a fully automatic recovery is 



EP0 723 348 A2 



impossible. A human being must reboot the server, start up the process performing the secret-sharing algorithm and 
reinstall some means of mutual authentication between this server and the others. 

The issue of server authentication is rarely discussed in connection to secret sharing. However, server authentica- 
tion is necessary to preserve the security of the recovery protocol in the presence of an adversary who can send mes- 
sages to the servers from outside the group of servers that participate in secret sharing. The recovering server A must 
have some means of authenticating the servers B that try to reinstall its share. Also, the servers B must be sure that it 
is indeed A to whom they are giving the proper share. These goals can be reached with either secure links between A 
and B*s or with pairs of secret/public decryption and signature keys between A and servers in B. However, if the server 
A lost its secret share, it could also lose all its other secret keys used for securing and authenticating its links with the 
other servers B. This means that human intervention in reinstalling means of authentication to a disabled server is nec- 
essary for recovery. This intervention will either consist of installing new server to server link security between A and 
servers B, or in reinstalling B's public authentication/encryption keys on A, letting A compute its new private keys and 
securely installing them on servers B. In the example of a proactive system, private/public keys are used for server to 
server communication, and hence the human intervention in the recovery mechanism will be of the second type. 

Proactiveness 

A new property of secret sharing schemes must be defined: proactiveness . Proactiveness increases security by 
restricting the rale with which the adversary can compromise servers. The storage phase of the proactive secret shar- 
ing scheme is composed of rounds divided by short update phases . The scheme is secure against the adversary who 
can compromise no more than k servers during the same round. Without proactiveness. the scheme is secure against 
the adversary who can compromise up to h during the whole storage phase. effectively during the lifetime of the 
algorithm. A proactive scheme is secure against the adversary who compromises all of the servers, provided she does 
not do it too quickly. This property is achieved by a re-randomization of the secret shares held by the servers during the 
update phases. The update protocol is equivalent to re-dealing the secret without revealing it in the process. Formally, 
the update must achieve the following: 

1. No group of Is or fewer servers participating in the update protocol can learn anything about the new shares of 
other servers. 

2. Knowing k out of n previous shares and k out of n new shares does not reveal any information about the secret 
share. 

Proactiveness Versus Threshold, Robustness and Recovery 

An adversary during the update phase protocol should be no stronger than during the reconstruction phase. There- 
fore, to proactivize a robust, recoverable threshold secret sharing scheme, the update phase must be secure against 
the adversary who can disable or control up to k servers. 

Proactiveness and recoverability in secret sharing make the most sense when they are used together. Notice that 
without a recovery mechanism, the proactive secret sharing increases security against some types of attack but 
decreases it against others. Non-proactive secret sharing schemes are secure against adversaries who can control 
servers during the storage phase, simply because the servers do not do anything during that phase. During the storage 
phase in a proactive scheme, servers periodically update their shares. Therefore, if a server is frozen or controlled dur- 
ing an update phase it will not have a proper share in the next round, which is equivalent to the case of the adversary 
with disabling capabilities. Hence, a proactive scheme is secure against an attacker who can control up to k servers in 
one round only if it has a recovery mechanism. Also it is secure against an attacker who can control or disable up to h 
servers in one round. 

SUMMARY OF THE INVENTION 

It is an object of the present invention to provide a method of and system having a proactive, robust and recoverable 
distributed threshold secret sharing scheme. 

It is another object of the present invention to provide a proactively secure key certification authority using the 
above scheme. 

The foregoing and other objects are achieved by a method and system which provides a proactive threshold secret 
sharing cryptosystem using a set of servers. The proactive secret sharing cryptosystem is a distributed threshold cryp- 
tosystem. in the sense that service is maintained if at least (k + 1) out of q servers are active and honest. The secret 
signature key is compromised only if the adversary breaks into at least Qs + 1) servers. It is robust in the sense that the 
honest servers detect faulty ones and the service is not disrupted, even when the servers infiltrated by the adversary 
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are cheating, It is recoverable, because if the adversary erases all the local information on the server it compromised, 
the information can be restored as soon as the server comes back to performing the correct protocol. The method and 
system has proactiveness, which means that in order to learn the secret the adversary has to break to (Js + 1) servers 
during the same round of the algorithm because the shares of the secret are periodically redistributed and rerand- 
omized. The present invention uses a verifiable secret sharing mechanism to get the security requirements during the 
update between two rounds. The present invention assumes that the servers are communicating through a broadcast 
medium, that they have fully synchronized, unbreakable local clocks and that they have local sources of true random- 
ness. The security of the scheme depends on the assumption of intractability of computing logarithms in a field of a big 
prime order. It also depends on the security of the EIGamal signature scheme, which is used for server-to-server 
authentication. 

The foregoing has outlined rather broadly the features and technical advantages of the present invention in order 
that the detailed description of the invention that follows may be better understood. Additional features and advantages 
of the invention will be described hereinafter which form the subject of the claims of the invention. 

BRIEF DESCRIPTION OF THE DRAWINGS 

For a more complete understanding of the present invention, and the advantages thereof, reference is now made 
to the following descriptions taken in conjunction with the accompanying drawings, in which: 

FIGURE 1 is a diagram of a server console; 

FIGURE 2 is a block diagram showing servers connecting to a communications channel; 

FIGURE 3 is a flow chart showing a high-level view of the sequence of steps of a preferred embodiment of the 
present invention; 

FIGURE 4 is a fbw chart showing the sequence of steps of a preferred embodiment of the share update protocol 
of the present invention; 

FIGURE 5 is a flow chart shewing the sequence of steps in step 410 of FIGURE 4; and 

FIGURE 6 is a flow chart showing the sequence of steps of a preferred embodiment of the share recovery protocol 
of the present invention. 

DETAILED DESCRIPTION OF THE PREFE RRED EMBODIMENT OF THE INVENTION 

The present invention is a proactive threshold secret sharing scheme with properties of robustness and recovera- 
bility. Disclosed are the model and goals of this scheme and the tools that it uses. Also disclosed is a Key Certification 
Authority system using the present invention. The security of the scheme depends on the assumption of intractability of 
computing logarithms in a field of a big prime order. It also depends on the security of the EIGamal signature scheme, 
which is used for server-to-server authentication. The EIGamal signature scheme is disclosed in T EIGamal, A Public 
Key Cryptosystem and a Signature Scheme Based on Discrete Logarithm, IEEE Trans, on Informational Theory 31, p. 
465, 1985, which is hereby incorporated by reference. 

Model of the System and Assumptions About the Adversary 

Assume a system of n servers A » {Ei . Es Eq} that will proactively secret-share value x. Also, assume that the 

system is securely and properly initialized. The goal of the scheme is to prevent an adversary from learning x. At the 
same time, the adversary cannot prevent servers A from reconstructing x themselves when they need to. Given are 
specifications about servers A and the communication network they communicate with. Also specified are the interac- 
tion mechanisms between the servers A and the human management as well as the trust held by the management 

Model of Proactive Servers 

A representative hardware configure of a server for practicing the present invention is depicted in Figure 1 , which 
illustrates a typical hardware configuration of a workstation in accordance with the subject invention having central 
processing unit 10, such as a conventional microprocessor, and a number of other units interconnected via system bus 
12. The workstation shown in Figure 1 includes random access memory (RAM) 14. read only memory (ROM) 16, and 
input/output (I/O) adapter 18 for connecting peripheral devices such as disk units 20 and tape drives 40 to bus 12,'user 
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interface adapter 22 for connecting keyboard 24, mouse 26, speaker 28, microphone 32, and/or other user interface 
devices such as a touch screen device (not shown) to bus 12, communication adapter 34 for connecting the workstation 
to a communications network, and display adapter 36 for connecting bus 12 to display device 38. 

Figure 2 shows how servers A are connected via private links L to a common broadcast medium £ called the com- 
munication channel or communication network, which also connects them to the outside world. The broadcast medium 
has the property that whenever a message is sent to it from a link connecting it to some server, it instantly reaches all 
the other links connected to this medium. The present invention assumes the servers in A are equipped with secure and 
synchronized clocks (not shown), which do not change or fail even when the adversary controls or disables a server. 
These clocks divide the time between rounds and update Phases . Because of synchronization, every server in A gets 
the signal to start the update phase at the same time. Also assumed is that every server in A has a source of true ran- 
domness (not shown). If the adversary compromises a server, she cannot predict the future random numbers gener- 
ated on that server. Every server also has a figurative unbreakable box that contains a code with the algorithm 
described below for every server (not shown). 

Adversary 

The adversary's model of attacks on the servers A is an extension of a "mobile fault" model. R. Ostrovsky & M. 
Yung, How to Withstand Mobile Virus Attacks. Proc. of the 10th ACM Symposium on the Principles in Distributed Com- 
puting, 1991. pp. 51-61 and R. Canetti & A. Herzberg, Crypto 94, both of which are hereby incorporated by reference. 
Let 



be the number of servers in A the adversary corrupts at any point during round t and let 



be the number of additional servers whose links to the communication channel are under active attack by the adversary 
at any point during the round t Then, our proactive secret-sharing scheme is secure against the adversary for whom 
(A^W + (/c 2 w =i for every round t To achieve this bound we need o a 2k + 2 servers in & 

The scheme can easily be made secure against stronger adversaries. First, it is possible to achieve the same 
bound k on adversaries in the round with one less server, ljl, 2k + 1 * n. Second, with changes to the synchronization 
mechanism, more attacks on the links can be allowed, because alt such attacks are always detected by the system and 
the servers could halt the protocol until the management removes the adversary from the link. 

Corrupting a server means any of the following: 

Compromising it: Learning all the data it stores. 

Controlling it: Making it faulty with respect to the specified protocol. This includes freezing the machine. 
Disabling it: Modifying (or erasing) its data. 

Additionally, the adversary always knows the data classified as public and it knows the algorithm tA that each 
machine performs. For simplicity, the present invention treats "natural" power outages, data loss and other hardware 
failures as actions of the adversary. Therefore, every time a machine is faulty, assume that it is the adversary that cor- 
rupted it. 

When a server is corrupted at any point during the update phase between two rounds, the server is corrupted for 
both of these rounds. The reason behind this way of counting corrupted servers is that it is impossible or at least very 
hard to differentiate between an adversary who moves from one server to another during the update phase and the 
adversary who just stays in both all throughout This differentiation is not a realistic concern in this setting, where update 
phase is negligibly short when compared to the length of one round. Furthermore, the present invention treats the 
adversary who jumps from one server to another in the same way as if both of them are corrupted throughout the round. 

Apart from attacking servers in A, the adversary can attack the communication network between them. Assume the 
adversary has its own server £ that is connected via its link to the same communication channel £ that connects serv- 
ers A. Therefore, it can both listen to messages broadcasted on Q and broadcast messages to £. However, when a 
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message reaches the communication channel, the adversary cannot prevent it from reaching all the links connected to 
it The adversary can also make an attagK 00 the link connecting some server in A with the communication channel If 
a link to server P^A is under such attack, the adversary can block it both ways: it can Prevent E from hearing the mes- 
sages that are broadcasted on C as well as it can stop the messages sent by P broadcasted on C Formally, the adver- 
sary can see all the tapes of both links L and the communication channel C. Replacing the algorithm of some link L with 
adversary's algorithm constitutes an active attack on that link while tampering with the algorithm of C is forbidden in this 
model. 

The present invention assumes that the adversary attacking the servers A and the links L is "removable", it can 
be removed when it is detected. However, server E is not "removable", it cannot be traced or cut from C. 

Assumptions About the Human Management of the System 

Every server in A has console 38 through which it can display information to the human management Through 
console 38 the managers can reboot the server and perform a procedure for renewal of the authentication keys The 
console program allows for entering data to the server. The management is trusted in the following ways: they will not 
tamper with the servers and they wonl cheat in the protocol specified for them. In other words, the management is 
trusted to follow instructions on when and how to reboot a server and perform the reinstallation of authentication keys 
The human management is responsible for tracing down the adversary attacking on the links. Assume that when- 
ever the management is instructed to check whether the link is under attack and remove the potential attacker the pro- 
cedure is always successful. Also assume that all the procedures of rebooting servers, reinstalling public authentication 
keys and removing adversaries from the links take less time then the length of a round. 

The Secret Sharing Scheme 

A preferred method of the proactive verifiable secret sharing scheme of the present invention is shown by the flow 
chart of Figure 3. Figure 4 is a detailed flow chart of step 314 in Figure 3. Similarly. Figure 5 is a detailed flow chart of 
step 410 in Figure 4. 

Initialization 

Step 310 is to initialize the servers. Let p. be a prime number such that p = mq + 1 , where g is also prime and m 
is a small integer like 2, 3 or 4. Let g be an element of ^ of order g, La, g« Z . The prime p is chosen to te 

secure for the EIGamal encryption and signature schemes. The secret value x belongs to Zn • Use a modification of 
Shamir's secret sharing over a finite field Zg as the threshold secret sharing scheme: There <5ists a {k + 1) degree pol- 
ynomial f in ^ , such that f(0) * x ( modq ) and every server E^i € {1, d} has its secret share x, W = f(i) (mc The 
index (1) denotes that these will be the values used in the first round. 

Additionally, each server Pj has its private authentication and encryption key w,, a random number in Z, The set 
of public counterparts to these keys (r/ 1 )},^ {1 ^ where ' ^ 

r, w - g »'^modp) 

is public and stored by every server in A. Additionally, every server needs a set of one-way hashes of all x/s for robust- 
ness in reconstruction of the secret The present invention uses exponentiation as a one-way hash, and so every server 
stores a set {y/ 1 '}* {I,*}, where 
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As mentioned in the description of the model, the present invention assumes that the adversary is not present in 
any way (passively or actively) during the initialization stage. Consequently, this initialization can be done openly. 

After the initialization, local clocks of servers in A start ticking. At this point, the operation of the servers is synchro- 
nized into discrete time periods or rounds (step 312). At the end of each round, an update phase is triggered (step 314) 
In the update phase servers A perform an update protocol and then there is a reserved time for management to perform 
optional (up to k of them) key reinstallation procedures followed by share reconstruction protocols. The update phase 
is long enough to encompass all of these, but it is assumed to be short in comparison to a round 



Update Protocol 



To update the shares, as shown by step 314 and Figure 4, the present invention adapts a simplified version of the 
update protocol presented in R Ostrovsky & M. Yung. When the secret x is stored as a value f (0) = x of a k degree 
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polynomial f in it can be updated by adding it to a k degree random polynomial 6 ( • ), where § (0) = 0, so that 
f -2±!2(o) = f -&(0) + 6_(0) = x +0 = x. Ostrovsky and Yung noticed that the linerarity of the operation of computing a 
polynomial at a point allows for a very simple update of the shares x f = f(i) , namely: 

f — 6( . ) <- f -( • ) + 6( • ) ( modq ) v j f —(i) = f (!) (i) + 5(Q (modq) 

In the present system, $<•) * •) + ? 2 ( •) + ••- + ? n ( ' )) (mod q) . each polynomial £ ( £ (0) = 0, i e {1,n} of 
degree (k + 1 ) is picked independently and at random by the iih server. The update protocol for each server Pj , i e {1 ,nj 
is as follows: 

1. £j picks Qs + 1£ random numbers uu}j€{1, (k+1) } from Zg . These numbers define a polynomial 
M 2 ) = f n z +f i2 z +..- + * i (k+1)? " * n 2g • whose free coefficient is zero and hence, fj (0) = 0. 



+ f n (i)) ( modq ) and erases all the variables it 



To make this protocol secure against the adversary with controlling capabilities, the present invention uses the 
mechanism of verifiable secret sharing using one-way functions presented by P. Feldman, A Practical Scheme for Non- 
interactive Verifiable Secret Sharing, Proc. of the 28th IEEE Symposium on the Foundations of Computer Science, pp. 
427-37, 1987 and then discussed by T P. Pedersen, Distributed Provers with Applications to Undeniable Signature, 
Eurocrypto '91 , 1991 , which are both hereby incorporated by reference. This particular verifiable secret sharing scheme 
is used because it is non-interactive, and its side effect is that it allows for update of the secret's exponents % together 
with updating Xj *s. 

The honest servers should unanimously mark their shares of updating polynomial fj produced by server Pj as "bad" 
in the following two cases: 

1 . If the shares ijQ) that Ej 's receive are not values of any polynomial of degree (k + 1), or they are, but this poly- 
nomial f| is not a correct update polynomial because £ (0) * 0. 

2. If shares 

used for updating public values % do not correspond to the secret update shares {f/0Myfe{i,r* of f, : . 

The values w^ as private / public key counterparts are used for authentication of messages coming from Ej and 
encryption of messages destined for Ej with EIGamal encryption. When E| encrypts m g Zg for Ej . it sends 
Ej [m] = (m(rfl , g ) where k e is a random number and the exponents are computed in 21 . The receiver 
decrypts by using 

, k k (-w.) 
m = m (rj) - * <g ~) ( modp ). 

The signature operation uses a collision-free hash function h : N Zg. The signature of message m with key w^ 
where § - t [h(m)] = (r\j) is r_=g - ( mod p ) , s = k ( " 1) (h(m) - rw ,) ( modq ) . This signature can be verified with the public 
counterpart 

rj = g- [ (modp) 

of wq by checking the equation 

g h{m) ? t b r /(modjD) . 



The hash function b must have a property that knowing m, Sj [h(m)J one cannot produce any pair ml S fh(m')] where 



2. For all other servers, Ej , E i sends fj © ( mod q) to Ej . 

3. Ej computes its new share x, <- x, - + ( f ^i) + f 2 (i) + . . . 
used except its current secret key xr^*^. 
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All through the update phase, the encryption and authentication is performed with values wf**, h where t is the round 
that has just ended. The adversary who comprised a server during this round will know the secret key this server uses 
to sign and decrypt during the update protocol. 

5 The Full Update Protocol 

The following steps detail the update protocol used by the servers in step 314: 

At step 41 0, each server Ej picks (k + 1 ) random numbers £ v fj 2 fj fc+ 1} in which define an updating polynomial 

fi_(£) = ?MZ +?(2i +• • +!i(k + i) z— in Zg (step 510). 
10 ' It forms (q * ^shares u^ = f ( mod q ) , j * j of this polynomial (step 512), and creates its message msfli ' 

to'"- o* E < *" i»*v E * *1 f(M,* ,H 1 l<w f \u KMY ... . E n ^ [uj (D 

where all exponentials are computed in Zg (step 514). Additionally, each server E* picks its new private key wf** 1 * as a 
is random number in (step 516), and computes its corresponding new public key: 

r, iM} -g w ' (modp) 

(step 518). Pj then broadcasts a pair (msg* r/ f+1 >) signed with its old key wjM (steps 412 and 520). 
*° A t step 414. each server considers the messages it received in the previous step. If for some l it received no or 
more than one authenticated message of the form {msgp rf M >), it marks E* as "bad". Let Bj be the set of indexes of serv- 
ers not marked as "bad". Ej then decrypts the 

parts of messages msg^, i e . Then, for every i*L it verifies whether u^ agrees with the coefficients given in the 

30 kg*' 1 , g f ' 2 , . . . , sr f >™) 



35 



part of the message msgy 



9 U » I ig' 11 ) 1 lg r »)'' . . . [g e ^)^» ( m0 d p) (2) 



40 



If this equation does not hold, Pj marks Ej as "bad", removes j from and creates an accusation that it was cheated by 
E*. accy = (ij) . For each server marked "bad", Ej displays corresponding messages to the management on its display 
showing why it thinks something is wrong with P, . Then, at step 416, the server broadcasts a signed set of all its accu- 
45 sations concatenated with the set of all new public keys 



it received in the previous step. The signature is made with the old private key iy/O. 

At step 418, each server E* verifies signatures on the messages broadcasted in the previous step. If more than one 
message is broadcasted with the same signature, the corresponding server is marked "bad", set Bj is reduced and the 
proper messages for the management are displayed on P^ 's console. Servers display the set of pairs (U) on their con- 
soles such that a new public key rf u V was not acknowledged by Ej. This lets the management trace where the active 
link attacks are. However, the lack of acknowledgements for new public keys does not influence Bj. For each accusation 
accy by some server Pj , j e Bj, server % broadcasts a signed response containing the share and the random vector 
used in communication with P, : resp ,j = (yjj , jL u , ,) , so that to allow for a public trial to determine who was cheating. 
These responses should be concatenated and Broadcasted with one signature. 
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At step 420, rf more than one response was broadcasted with the signature of the same server, every server P 
marks it as "bad", reduces its set Bj and displays messages for the management. Each server P makes its own decision 
for every pair of (acqpssoy) that were properly broadcasted by Ej in step (1 ). The values sent in respy are treated with 
suspicion, so they are denoted with "primes": t/^ Every server P decides according to the following algorithm: 

(a) If 

*\u$ * ("V 0 (0 ) *' (mod p) . g k * (mod p)) , 

or when Ej did not respond to Ej 's accusation at all, then Ej is cheating and so it must be marked as "bad". Other- 
wise: 

(b) If (u^jJsy) are indeed the values that were used in msg ,. then check whether u f 9 = u f j is the proper share of 
polynomial \, by evaluating the same equation (2) as should be used by Ej in step (2). rf the equation does not 
agree, then it is a proof that Ej sent a bad share to P± and so it must be marked as "bad". If the equation is correct, 
then E marks Ej. as "bad". 

For each server marked "bad", set Bj is reduced and corresponding messages on Ej 's console are displayed. 
At step 422, each server Ej computes: 



Jres i 



Also, each server deletes all the variables used in this protocol, except of new share xf M \ new key w£*+ 1 K set 
(y/^ 1) }>fe{i,n} and set {r/* 1 ^^ of new public keys. 

The proper update polynomial 6(») is equal to the sum 



£ ^(-)<modQ). 

He B 



where B = B , (in step 420) for at least (Js + 2) servers Ej , i € {1 , n}. 

Whenever a server P is expecting to receive a signed broadcast of a message of a known format and it receives 
two such messages, both seemingly coming from the same server Pj , then P marks Ej as faulty. Of course, the attacker 
could always send the same message that Ej did. In this protocol, every server sends up to three messages. Therefore, 
whenever P gets a set of messages seemingly signed by , it should throw away those elements of £j that were 
broadcasted by Ej in some previous step of the protocol, and then if all other elements of Sj are the same, take this ele- 
ment as Ej 's message. Otherwise, mark Ej as "bad", because it is either cheating or it is duplicated by the adversary 
who compromised its authentication key. Another fine point is that if E[ sees some messages signed seemingly by itself, 
it also marks itself as "bad" and computes Bj accordingly. This way, even though it is duplicated, it will compute its new 
share xf M * and all {y/^^J^p,^ correctly. Its new public authentication and encryption key a/' +1 > is not acknowledged 
through, and must still be taken care of. 

Analysis of the Update Protocol 

The adversary can interfere with the above protocol in three ways: 

It can make the server it controls cheat in this protocol. A disabled server will look like it is cheating or like it is send- 
ing random messages (rf it encrypts and signs messages with the wrong keys). 



10 



EP 0 723 348 A2 



It can send messages signed with the keys of the server it compromised during the round before this update phase. 
For the other servers, this case is indistinguishable from the case when the server is still controlled by the adver- 
sary. 

It can attack a link between a server and a communication channel. 

Since at every update round there are (k + 2) servers who are honest, who were not compromised in the previous 
round and whose link to the communication channel is not under active attack, these servers 1 sets Bj will all be the same 
and will have at least (k + 2) elements. Therefore, the secret-sharing polynomial f will be updated with at least (k + 2) 
polynomials none of which can be reconstructed by the adversary. In the worst case, the adversary can learn 
shares of each of these polynomials, but since they are all of the degree (h + 1) and fj (0) = 0 for each of them, one 
needs (k + 1) shares to reconstruct them. 

Recovery After Update 

From the messages displayed on the servers' consoles, the management can decide which machines are control- 
led, compromised or disabled and which links were under active attack by the adversary. In particular, the consoles will 
display information on two (often intersecting) sets of servers: 

Those who didn't receive some acknowledgements of their new public keys. 

• Those whose new public keys are not acknowledged by at least (h + 2) servers, whose secret shares x/' +1 > are 
badly computed and inconsistent with the new polynomial Z^ 2 ). Also, their view of the current set {y y ^ 1) }^<i m is 
not correct. 

The first set gives the management information about the active link attacks. The managers then promptly remove 
the adversary from the deduced links. With regard to the second set, the managers first perform a kev reinstallation pro- 
cedure (step 316) and then trigger an automatic share recovery protocol (step 318). Let Q be the set of servers in A 
whose public keys {rj } are well-distributed and acknowledged by other servers. TTien |£| & k + 2. 

The reinstallation of P, *s key (step 31 6) is as follows: Through P, *s console, the managers install the set {rfe c and 
then ask Pj to pick its new random private key w^ e Zg . Pj picks such a number and displays the corresponding public 
key 

r^g Wi (modpy 

The managers then install this number in all other servers. Set C is augmented by P| . When this reinstallation is fin- 
ished, the managers trigger the recovery protocol on servers C. Alternatively, the servers themselves are programmed 
so that whenever some public key is reinstalled in them they start an agreement protocol to trigger the recovery protocol 
automatically, when all the servers in the C are ready 

Share Recovery Protocol 

Let Py denote the server who's share x u = f ( u) needs to be reinstalled. At first, step 61 0. the servers choose an 
initial set BcC \ {PJ of (k + 2) servers. They are "picked from C because they must be able to authenticate g themselves 
to Py and vice-versa. This is easy since servers are ordered by indexes and they know the current state of C. i.e.. serv- 
ers who have working authentication and encryption keys. The protocol must have the following properties in the pres- 
ence of the adversary: 

Ey learns only x^ . Iq^ it cant learn any other share % where i € B. 

No(k- 1)group Fc A\{Py} of servers can learn x^ or any Xj. whereje A\R 

Server Py learns the proper set {yjj^p t 

The basic set of (k + 2) servers with valid shares of f , can recover not only x = f (0) ( modq ) but any other value 
of f , in particular the share x u = f (uv) ( modq ) that Py needs. This can be done with the Lagrange interpolation for- 
mula. After set B of (k + 2) servers that are supposed to cooperate is established, each P. , i € B sends 
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a ' =x ' n Tj( m ° d( fi 

to Py . Then Py adds them together to get 



* u = Hu) = £ a,. 



However, if the present invention only did that, Py would also learn all ^ 's from aj 's. But the present invention can treat 
a^s as trivial secret shares of Xv . So the present invention requires servers in B to rerandomize these shares before 
sending them to E^: Each server E^in B picks (k + 2) random numbers {q^ B in 2^ - Then they exchange these values 
pairwise: Pj gives Cy to Pj and gets Cy. And then each sends a' , = a, + L ye s c y/ - £ /e gC^ (mod q) to P^ . Notice that 
£ ies a '/ 3jf u (/nod q) , so this is another secret sharing of jc M * Now the basic scheme must be made verifiable using 
the same tools used in the update phase protocol. 

Given below is the full protocol for making the scheme verifiable. Notice that all broadcasts involve servers in Q 
including the ones that are not currently in set B and the server Py . For clarity, the below does not mention that for every 
authenticated broadcast, the recipients check the signature on the message and when there is a duplication attack 
(because the sender is cheating or its keys are compromised and duplicated), they mark this server as "bad" and dis- 
play adequate messages on their consoles for the management. This is the same procedure as in the update protocol. 
The protocol for making the scheme verifiable is: 

a" P| 's in B compute k + 2 random values {Cyjje g in Zg each, and broadcast: 

({9 Cii {modp)} jeB , (E/'lCsfl/es) (3) 

and a signature of this message (step 612). 

At step 614, all Pj s in B decrypt values fa J igB from the above broadcasts and verify whether they were given right 
shares from every server Pj , by taking the exponent 

flr B " 



broadcast by Pj in the same message, rf this value does not agree, Pj broadcasts an accusation acc , , = (i, j, S , [i, j] ) 
of Pj to all servers (step 61 6). It also marks Pj as a "bad" server. * J '* ~ 

At step 618. just like in the update protocol, for each accusation accy by some server Pj , server Pj verifies the sig- 
nature ^ QJJ, and rf this proves that the originator of the accusation knows x, then Pj responds by broadcasting and 
the random vector used in communication with P , : r^p j j = (ijj* , :^c , . ) . so as to allow for a public trial to determine 
who was cheating (step 620). " ~ 

At step 622, every server P (not only the ones in B), for all pairs ac qj. respy broadcasted in the two previous steps, 
verifies whether these are the true values used in the communication between Pj and Pj , and if they are, checks 
whether the exponent 

g c n ( mod p ) 



of the sent value agrees with the exponent broadcasted by Pj in the set 

{g c " {modp)} j€B 



This step is equivalent to the verification in step 420 of the update protocol. Either B or R will turn out to be cheaters 
and will be adequately marked as "bad" by B 

At step 624, every server considers Ms local set Ej of servers it marked as "bad" in the previous step. If 
I F, | = m * 0 , they compute new fi^B <-(B\Qu {max(fi) + 1 max(B) + m). Due to broadcasts, all honest and 
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30 



40 



active servers will have the same view of F and hence the same view of the new B. After they recompute the B, they 
start the protocol again from step 610. 

At step 626, if nobody cheated in the previous step, every server £ computes its subshare: 

a>a,+ £ c r £ c p (modq) (4) 
ye B ye B 



w At step 628, each server E* in B broadcasts 



15 



20 



to all servers where i$ is a random number in Z^- 

At step 630, Py decrypts all {s(^ B from these broadcasts and computes x u = z /€ B a' , (mod q) . Then it checks 
whether the exponent 

g x " ( mod p ) 



of this value is the same as the public key that was installed at initially If it is, the reconstruction ends at step 632. 
25 If not, some server from B must have cheated. P finds the cheaters by evaluating for every j_€ _B: 



9" - wu ^ 

J SB , i»i {mod p) 

9 a ' I 9*' + Jl9 Cl1 * (fig 0 ") 1 -" (modp) 



J€B j€B 



35 where the values 



are taken from broadcasts in step 61 2. If the second formula does not hold, it means that Ej did not send the proper a*,- 
to Py . To prove it to others, Py broadcasts its accusation acc , = (i, S tGmp [ij) to all other servers (step 634). Also, it 
itself marks all the cheaters as a "bad" set F — 

At step 636, like in step 618 of this protocol, every accused server ^ verifies the signature on the accusation acq 

45 and if it is valid, it broadcasts response resp t = (/", k f . a* ) . 

At step 638, every server £ checks all these accusations by first checking that these are the values used in the 
communication and then checking the same verification equations as Ey performed above. Again, they will all arrive at 
the same set F of servers they detected to be faulty. If it turns out that it is Eu who is cheating, then they will all send 
adequate messages to the system managers and the recovery procedure will be stopped (step 640). This event would 

so mean that Py is again controlled by the adversary. This is just like any other adversary detection: The system managers 
will read the warnings displayed by the servers and restart the whole recovery process. If however, Py s accusations 
are correct then, as usual, the servers display proper warnings for the system management and continue the recovery 
by recomputing the set B : B <- (B \ F) u (max (B) + 1 , . . . . max (B) + m}, where |F| = m , and restarting the whole pro- 
tocol from step 610. - - 



55 



Security of the Update Protocol in the Presence of Controlled Servers 

Securing the above protocol in the presence of Is cheating servers and no attacks on the links can be reduced to 
verifiable secret sharing. Namely, the solution is a mechanism with which the honest servers will be able to detect if 
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any particular server P± was cheating in the protocol. In this case, they will unanimously mark its shares of updating pol- 
ynomial fc as "bad". E,; cheats in the above protocol if and only if the values that it sends to other servers in step 612 are 
not proper values of any is degree polynomial f over Z$ such that f (0) = 0 ( mod q ) . This is a somewhat simplified case 
of verifiable secret sharing, which is called verified sharing of a value, because every server P distributes a known value 
zero among (n - 1) other servers (it also gives one share to itself) Just like in verifiable secret sharing, honest servers 
should unanimously agree whether the "secret" value zero was properly shared by R Also, just like in verifiable secret 
sharing, it should be achieved in such a way that each server learns only its own secret share. 
The modified steps 61 8-620 of the update protocol from above would be: 



where Bj is the set of indexes of all servers whose update polynomials were not marked as "bad" by Pj . With verifiable 
secret sharing mechanism, if E, and Ej are both honest during the update phase, then gj = Bj . they will have the 
same judgment about the honesty of other servers. 

Existing protocols for verifiable secret sharing all require a broadcast channel. Therefore, from this point, assume 
that each of the n secret-sharing servers has a link that connects it to a common broadcast channel like ethernet. Every 
message that gets onto this broadcast channel gets to all links connecting this channel to the servers. 

If verifiable secret sharing in the presence of up to k cheating, disabled or frozen servers during the update is 
achieved, there will be at least n - fe updating polynomials \ with which every honest server will update its shares. 

This degree of re-randomization of shares is enough to ensure the second property of the proactive scheme, 
namely that knowing k shares before the update and k shares after does not let the adversary reconstruct the secret. 
The fine point is when k servers are controlled during the update: The adversary will then know k shares of each updat- 
ing polynomial ^ , and this will allow her to reconstruct all of them, because the free coefficient of them all is known to 
be zero. Hence, she can compute the total updating value 6(i) o (f 1 (i) + f 2 (i) + . . . + f n (j)) (modq) of every server Pj 
. However, if the adversary compromises a set E of h servers during the update phase, she can not compromise any 
other servers in either the round before or after this update. Hence she knows all {x/ 9 }^ and {&</)}* { i, n } which in par- 
ticular allows her to compute {x/ fr1 >} fe F which she knows anyway. But she still cannot learn any additional share x/O / 
£ For xf M \ j g F t which would allow her to reconstruct the secret. 

Security of the Update Protocol in the Presence of "Duplication" Attacks and Link Attacks 

If the adversary compromises server A in round 1 and leaves it in the same round, then during the update phase 
between rounds ! and (1 + 1) this server will not be faulty, but the adversary will know all its secrets. Assume an adver- 
sary who has only compromise servers (no active disruption of the protocol). Let F be the set of servers compromised 
by the adversary during round J and during the update V(X + 1). In the worst case, |F| - (k - 1) . Let Q be a set of "good" 
servers, who are absolutely secure against the adversary both in the round and during the update. Obviously, each ^ , 
i e Q that they will send to servers E Now, depending on the protocol, it may or may not learn the shares of \ , i € Q 
that A gets. If servers send the shares of their updating polynomials just encrypted under the key known to A, then the 
adversary can learn them. 

Proactively Secure Public Key Certification Authority 

Presented is a complete solution showing how to apply proactive secret sharing to implement a proactively secure 
Key Certification Authority center. Described is a system that performs an EIGamal signature operation of messages 
and maintains its signature key proactively. Such a system can be effectively used as a key certification authority, 
because the messages it signs could be in public keys and identification tags of other users. 

Distributed Version of EIGamal Signature 

At first, assume a distributed version of the EIGamal signature algorithm, in which a signature operation is per- 
formed by a group of participating servers, who form a signature center together. The signature is composed of the par- 
tial signatures of these servers. It can be checked with a single public verification key. This means that, conceptually, 
there is also a single signature key, only that it is shared among the servers forming the signature center. The algorithm 
allows a change in the distribution of this secret key among the servers that share it, La. it allows proactive update of 
shares. 
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Initialization 



Let e be a large prime number and g a random number smaller than & Both rj and g are known by all the parties in 
the network Each server Pj takes as its private key a random number ^ , where i e {0,o} and £ < q - 1 . After the private 
keys of all the servers are initialized, it is required that in every consequent round, the sum 
x 1 (f) + x 2 (0 + . . . + x n (f) = x (mod q) . where xf* stands for a private key of the server P, at round 1 and x stand for 
a conceptual constant secret key of the signature center. Initially, each server computes the public counterpart of its pri- 
vate key: 

y i =g* i {modp). 

Then they send out their parts of a public key to one another, so that the public verification counterpart of x can be com- 
puted: 

y<r-y,y 2 ...y n = g } g \..g = g (mod p) (5) 

The sequence ( p. a. y. n) is a public key used for verification of the signatures produced by this signature center. 



Issuing of a Signature 



To sign message m, each server picks its own secret random number kj , relative prime to (e - 1). Then each server 
E{ computes the first part of its signature: 

r f = g 1 (modp). 

Each server broadcasts its q to other servers, so that each of them can compute a second part of its signature: 

s,= Ac / ' 1 (m-x / r 1 r 2 „.r /) )(modp-1) (6) 

The value of K/ 1 (moc/p-1) can be found by the Euclidean algorithm, just like in the original EIGamal signature scheme. 
The signed message is a following sequence: 

S(m) = (ah, s i , s 2 s„, r v r 2 ..., (7) 

Verification of a Signature 

The party that needs to verify the signature checks whether the following is true: 

g ™ = /^-\/'r 2 s >...r n a " { mod P ) (8) 
We can show that this is true by the following transformations: 

x,r,^r n *...+x n r,„.r m-x,r,r 2 ...r n m-x n r,...r n „- m , , . 

= g g g = g (modp) 



Security Analysis 

The security of the above basic distributed EIGamal algorithm, as well as the rest of the present protocol, relies on 
the assumption that computing logarithms in the final field of big prime order is computationally infeasible in probabilistic 
polynomial time. This is the fundamental security assumption of the EIGamal and DSA encryption and signature 
schemes. The above distributed version of EIGamal public key algorithm is just as secure as the original version, rf the 
attacker can break the present invention's algorithm, she would be able to break the regular EIGamal as well. Assume 
that the attacker knows m. S (m) and x 1t X2 x^ v What she still needs is x^ . She can compute 

y y y * 
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where negative exponent is computed modulo (e - 1). We substitute x = x n s nt k = k n r^r 2 ...r n . Then the attacker 
knows: 

9* = (/") Sn (modp), g* = (g Hn ) (modp) 

and x+1 = s n k n + x n r A r 2 -fp = m ( mod p -1) . In this set of three equations, one of the first two can be derived from 
the rest. For example, g * = g * k (g x ) { ' ]) ( mod p -1) . So, left are the following two equations, where aJi are known and 
x. k are unknown: 

g* = a {modp) x + k = b ( mod p- 1 ) 

The security of the original EIGamal algorithm is based on the fact that the second equation does not give out any infor- 
mation about x, if k is unknown, and hence, EIGamal is as secure as it is computationally infeasible to compute a loga- 
rithm x = log g a ( mod p ) in probabilistic polynomial time. 



Adapting the Distributed EIGamal to Proactive Threshold Secret Sharing Scheme 

The present invention incorporates Shamir polynomial secret-sharing to the above distributed EIGamal. This incor- 
poration creates a threshold proactive scheme, but the threshold is only during the round. As noted before, threshold 
during the update phase requires recovery mechanism. This scheme does not achieve robustness. Hence, this prelim- 
inary scheme is secure against an adversary who: 

Can compromise up to h servers in each round. 

Can freeze up to k servers during the round, but not during an update phase. 

The present invention is related to the Desmedt and Frankel solution of threshold secret-sharing in the exponent, 
described in Threshold Cryptosystems, Crypto 89, pp. 307-15. which is hereby incorporated by reference. Their idea 
was to use Shamir threshold secret-sharing by polynomial of degree k and then compute the exponent of the secret with 
a group of (k_+ 2) honest servers by computing components of Lagrange interpolation formula locally at each server. 
The similarity between their scheme and the present invention is that both use Lagrange reconstruction of a secret 
shared with a polynomial, but nobody can learn the reconstruction secret in the process. The secret is only used to 
either exponentiate a message (in the case of Desmedt and Frankel) or issue an EIGamal-derived signature (in the 
present invention). The present invention uses Is degree polynomial function f to secret-share f (0) = x among a serv- 
ers. It picks p. and the element oe so that g is of prime order a, Le» 9 - = 1 (mod p) . Q should be as big as possible, 
so that p = mq + 1 , m e {2,3,4}. The public key becomes now a sequence (p. q. q. v. k) . 

The present invention assumes that during a safe initialization stage, each server gets its secret share of x, 
x j = f^(i) , where f is computed in 2g . To issue a signature, the servers agree on a group B of any (k + 2) active servers 
that will participate in signing. The other servers are idle. Knowing set B, each server Pj , i € B computes: 

a ' =x '* n Vi {modq) (9 > 



From the Lagrange interpolation formula, this ensures that 



£ a^x(modq) (10) 
/ee 



because Vj , x, = f (i) , x a f (0) andf is a k degree polynomial in . The existence of inverses of Q-j), i *j is ensured 
by the fact that g is prime. Using ^ *s as their partial secrets, servers in B issue their partial signatures (£j ,Sj ), i € B 
following the basic proactive protocol from above: 

r i m 9*' (modp) 
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S(/n)«(/n, {(r,,s ; )}, ee ) 

5 

The verification formula becomes: 

g<*->- = yII (ri , Si)eS(-)ri J! (11) 

70 (r Jf Sj) €5(m) 



rs Verification and Robustness In Signing Protocol 

The first property that must be added to the above preliminary threshold scheme is robustness during the round. 
This will make it secure against an adversary who can control up to k servers, but still only during the round, not during 
an update phase. The above threshold scheme is signers-dependent , because it is essential that before issuing the sig- 

20 nature, honest servers agree on the (k + 2) element set B of servers that will cooperate to sign the message. To be able 
to pick set B of some currently active, honest servers, a mechanism with which honest servers can filter out cheaters is 
needed. Formally, each server, knowing B. m and £(m), should be able to verify for every server Ej . i e B, whether its 
partial signature (r^ , 5$ ) e 5(m) is correct , in the sense of being computed according to the protocol with the same m 
a. d. q and the proper secret key a, computed according to equation (5). 

25 To enable this mutual partial verification between the servers, the present invention treats secret shares x t ® of each 
server as their private signature keys and gives all other servers the public verification counterpart to these keys: 

y; (0 -g*' W (modp). 

30 Every honest processor P (not only those that are currently in B) verifies a partial signature . s fl e S(m) of every 
server in B in the following two steps: 

1 . Knowing current B and 
55 y/= g* 1 ( modp ), 



P computes 

g 1 = {y ± ) " (mod p) * 



2. Having computed 

45 

g Bt 



as above, E takes S (m) and verifies 

50 

Pj *s signature by the equation: 

55 



In this way all honest servers can determine set E c B of faulty servers that cheated while issuing the signature 3(m). 
Since the servers are ordered by their indices i € {1. n}. it is trivial for honest servers to update set B to filter out the 
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detected cheaters and try a new set of active servers. For example, at the beginning of every round they start with B = 
1.2 h + 2 and every time they sign and detect a set of m > 0 cheaters F = {i 1 , ig they take 

B <- {B\ F) {max(B) + 1 max(B) + m] (13) 

Since the present invention assumes that at every round, up to k servers can be taken over by the adversary and thus 
can be cheating, the following update will be performed no more than k times (in the case when the cheaters come out 
"one by one"). This is equivalent to issuing up to k extra signatures every round. This is a negligible overhead. 

The update protocol from above can be extended to ensure maintenance of public counterparts y/*> , of secret 
shares xfi for every round t In step (2), when server Ej sends (i) to Ej . it also sends 



to all other servers. This will allow all the servers to compute the public key for all i: 
Assuming "hardness" of computing logarithms in , broadcasting 



does not help the adversary. 

Although the present invention and its advantages have been described in detail, it should be understood that var- 
ious changes, substitutions and alterations can be made herein without departing from the spirit and scope of the inven- 
tion as defined by the appended claims. 

Claims 

1. A method of public key cryptography having proactive, robust and recoverable distributed threshold secret sharing, 
comprising the steps of: 

initializing servers linked by a communications network to form keys; 
synchronizing said servers to operate in discrete rounds having ends; 

calculating updated keys at said ends of said rounds from messages broadcast on said communications network; 
verifying said updated keys to form a set of compromised servers; and 
recovering said set of compromised servers. 

2. The method of claim 1. wherein said initializing servers linked by a communications network to form keys com- 
prises the steps of: 

choosing random numbers for each said server; 

calculating secret values for each said server from said random numbers; 
calculating private keys for each said server from said secret values; and 
broadcasting public counterparts of said private keys on said communications network. 

3. The method of claim 1 , wherein said calculating updated keys at said ends of said rounds from messages broad- 
cast on said communications network comprises the steps of: 

picking a set of random numbers defining a polynomial for each said server; 

picking a new private key for each said server, said new private key derived from said polynomial; and 
broadcasting messages derived from said polynomial on said communications network. 

4. The method of claim 1 , wherein said verifying said updated keys to form a set of compromised servers comprises 
the steps of: 

analyzing said messages broadcast on said communications network to form a set of bad servers; 
creating a set of accusations corresponding to said set of bad servers; 
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broadcasting said set of accusations on said communications network; and 
analyzing said broadcasted set of accusations to form an updated set of bad servers. 

5. The method of claim 1, further comprising the step of displaying messages identifying said set of compromised 
servers on a console. 

6. The method of claim 1 , wherein said recovering said set of compromised servers comprises the steps of: 
installing a new private key in each server in said set of compromised servers; 

choosing a set of recovery servers from said servers; 

computing sub-shares for each server in said set of recovery servers; 

broadcasting messages derived from said sub-shares on said communications network; and 

verifying said messages derived from said sub-shares received by said set of compromised servers. 

7. The method of claim 6, wherein said choosing a set of recovery servers comprises: 
choosing a subset of said servers; 

computing a set of random values for each server in said subset; 

broadcasting signed messages derived from said set of random values on said communications network; 
verifying said signed messages to derive a set of bad servers; and 
eliminating said set of bad servers from said subset of said servers. 

8. The method of claim 1 , further comprising the steps of: 
picking random numbers for each said server; 

computing first parts of signatures for each said server from said random numbers; 
broadcasting said first parts of signatures on said communications network; and 
computing second parts of signatures for each said server from said first parts of signatures. 

9. The method of claim 8 f further comprising the step of verifying a message signed with said second parts of signa- 
tures. 

10. A data processing system for processing a public key cryptography scheme having proactive, robust and recover- 
able distributed threshold secret sharing, comprising: 

servers linked by a communications network; 

initialization means for initializing said servers to form keys associated with said servers; 

timing means for synchronizing operation of said servers into discrete rounds having ends; 

updating means for updating said keys at the end of each round of said discrete rounds to produce updated keys; 

verification means for verifying said updated keys to form a set of compromised servers; and 

recovery means for recovering said set of compromised servers. 

11. The data processing system of claim 10, wherein said initialization means comprises: 
choosing means for choosing a random number for each said server; 

first calculating means for calculating a secret value for each said server from said random number; 

second calculating means for calculating a private key and a public counterpart of said private key for each said 

server from said secret value; 

broadcasting means for broadcasting said public counterpart of each said private key on said communications net- 
work. 

12. The data processing system of claim 10, wherein said updating means for updating said keys at the end of each 
round of said discrete rounds to produce updated keys comprises: 

random number generating means for generating a set of random numbers defining a polynomial, said set of ran- 
dom numbers associated with each said server; 

private key generating means for generating a new private key for each said server from said polynomial: and 
broadcasting means for broadcasting a message on said communications network derived from said polynomial. 

13. The data processing system of claim 10, wherein said verification means for verifying said updated keys to form a 
set of compromised servers comprises: 

first analysis means for analyzing messages broadcast on said communications network to form a set of bad serv- 
ers; 

accusation means for creating a set of accusations corresponding to said set of bad servers; 
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broadcasting means for broadcasting said set of accusations on said communications network; 

second analysis means for analyzing said broadcasted set of accusations to form an updated set of bad servers. 

14. The data processing system of claim 10, further comprising display means for displaying said set of compromised 
servers. 

15. The data processing system of claim 10, wherein said recovery means for recovering said set of compromised 
servers comprises: 

selecting means for selecting a set of recovery servers from said servers; 
computing means for computing a sub-share for each server in said set of recovery servers; 
broadcasting means for broadcasting messages derived from said sub-share from each server in said set of recov- 
ery servers on said communications network; and 

verification means for verifying said messages derived from each said sub-share received by said set of compro- 
mised servers. 

16. The data processing system of claim 1 5, wherein said selecting means for selecting a set of recovery servers com- 
prises: 

choosing means for choosing a subset of said servers; 

computing means for computing a set of random values for each server in said subset; 

broadcasting means for broadcasting signed messages derived from said set of random values on said communi- 
cations network; 

verification means for verifying said signed messages to derive a set of bad servers; and 
elimination means for eliminating said set of bad servers from said subset 

17. The data processing system of claim 10. further comprising: 

random number generation means for generating a set of random numbers for each said server; 
first computing means for computing first parts of signatures for each said server from said set of random numbers; 
broadcasting means for broadcasting said first parts of signatures on said communications network; and 
second computing means for computing second parts of signatures for each said server from said first parts of sig- 
natures. 

18. The data processing of claim 17, further comprising verification means for verifying a message signed with said 
second parts of signatures. 
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FIG. 5 
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